mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-14 14:56:27 +03:00
caddytls: Adjust DNS challenge structure; clarify some docs
This commit is contained in:
parent
f931c26f68
commit
a1796c2f14
4 changed files with 41 additions and 15 deletions
|
@ -211,12 +211,13 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
||||||
provName := h.Val()
|
provName := h.Val()
|
||||||
if acmeIssuer.Challenges == nil {
|
if acmeIssuer.Challenges == nil {
|
||||||
acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
|
acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
|
||||||
|
acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
|
||||||
}
|
}
|
||||||
dnsProvModule, err := caddy.GetModule("tls.dns." + provName)
|
dnsProvModule, err := caddy.GetModule("tls.dns." + provName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, h.Errf("getting DNS provider module named '%s': %v", provName, err)
|
return nil, h.Errf("getting DNS provider module named '%s': %v", provName, err)
|
||||||
}
|
}
|
||||||
acmeIssuer.Challenges.DNSRaw = caddyconfig.JSONModuleObject(dnsProvModule.New(), "provider", provName, h.warnings)
|
acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(dnsProvModule.New(), "name", provName, h.warnings)
|
||||||
|
|
||||||
case "ca_root":
|
case "ca_root":
|
||||||
arg := h.RemainingArgs()
|
arg := h.RemainingArgs()
|
||||||
|
|
|
@ -388,7 +388,9 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
|
||||||
return nil, fmt.Errorf("getting DNS provider module named '%s': %v", provName, err)
|
return nil, fmt.Errorf("getting DNS provider module named '%s': %v", provName, err)
|
||||||
}
|
}
|
||||||
mgr.Challenges = &caddytls.ChallengesConfig{
|
mgr.Challenges = &caddytls.ChallengesConfig{
|
||||||
DNSRaw: caddyconfig.JSONModuleObject(dnsProvModule.New(), "provider", provName, &warnings),
|
DNS: &caddytls.DNSChallengeConfig{
|
||||||
|
ProviderRaw: caddyconfig.JSONModuleObject(dnsProvModule.New(), "name", provName, &warnings),
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if acmeCARoot != nil {
|
if acmeCARoot != nil {
|
||||||
|
|
|
@ -86,8 +86,8 @@ func (ACMEIssuer) CaddyModule() caddy.ModuleInfo {
|
||||||
// Provision sets up m.
|
// Provision sets up m.
|
||||||
func (m *ACMEIssuer) Provision(ctx caddy.Context) error {
|
func (m *ACMEIssuer) Provision(ctx caddy.Context) error {
|
||||||
// DNS providers
|
// DNS providers
|
||||||
if m.Challenges != nil && m.Challenges.DNSRaw != nil {
|
if m.Challenges != nil && m.Challenges.DNS != nil && m.Challenges.DNS.ProviderRaw != nil {
|
||||||
val, err := ctx.LoadModule(m.Challenges, "DNSRaw")
|
val, err := ctx.LoadModule(m.Challenges.DNS, "ProviderRaw")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("loading DNS provider module: %v", err)
|
return fmt.Errorf("loading DNS provider module: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -95,7 +95,7 @@ func (m *ACMEIssuer) Provision(ctx caddy.Context) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("making DNS provider: %v", err)
|
return fmt.Errorf("making DNS provider: %v", err)
|
||||||
}
|
}
|
||||||
m.Challenges.DNS = prov
|
m.Challenges.DNS.provider = prov
|
||||||
}
|
}
|
||||||
|
|
||||||
// add any custom CAs to trust store
|
// add any custom CAs to trust store
|
||||||
|
@ -152,7 +152,9 @@ func (m *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) {
|
||||||
template.DisableTLSALPNChallenge = m.Challenges.TLSALPN.Disabled
|
template.DisableTLSALPNChallenge = m.Challenges.TLSALPN.Disabled
|
||||||
template.AltTLSALPNPort = m.Challenges.TLSALPN.AlternatePort
|
template.AltTLSALPNPort = m.Challenges.TLSALPN.AlternatePort
|
||||||
}
|
}
|
||||||
template.DNSProvider = m.Challenges.DNS
|
if m.Challenges.DNS != nil {
|
||||||
|
template.DNSProvider = m.Challenges.DNS.provider
|
||||||
|
}
|
||||||
template.ListenHost = m.Challenges.BindHost
|
template.ListenHost = m.Challenges.BindHost
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -35,8 +35,15 @@ type AutomationConfig struct {
|
||||||
|
|
||||||
// On-Demand TLS defers certificate operations to the
|
// On-Demand TLS defers certificate operations to the
|
||||||
// moment they are needed, e.g. during a TLS handshake.
|
// moment they are needed, e.g. during a TLS handshake.
|
||||||
// Useful when you don't know all the hostnames up front.
|
// Useful when you don't know all the hostnames at
|
||||||
// Caddy was the first web server to deploy this technology.
|
// config-time, or when you are not in control of the
|
||||||
|
// domain names you are managing certificates for.
|
||||||
|
// In 2015, Caddy became the first web server to
|
||||||
|
// implement this experimental technology.
|
||||||
|
//
|
||||||
|
// Note that this field does not enable on-demand TLS,
|
||||||
|
// it only configures it for when it is used. To enable
|
||||||
|
// it, create an automation policy with `on_demand`.
|
||||||
OnDemand *OnDemandConfig `json:"on_demand,omitempty"`
|
OnDemand *OnDemandConfig `json:"on_demand,omitempty"`
|
||||||
|
|
||||||
// Caddy staples OCSP (and caches the response) for all
|
// Caddy staples OCSP (and caches the response) for all
|
||||||
|
@ -239,13 +246,14 @@ type ChallengesConfig struct {
|
||||||
// not enabled by default. This is the only challenge
|
// not enabled by default. This is the only challenge
|
||||||
// type which does not require a direct connection
|
// type which does not require a direct connection
|
||||||
// to Caddy from an external server.
|
// to Caddy from an external server.
|
||||||
DNSRaw json.RawMessage `json:"dns,omitempty" caddy:"namespace=tls.dns inline_key=provider"`
|
// NOTE: DNS providers are currently being upgraded,
|
||||||
|
// and this API is subject to change, but should be
|
||||||
|
// stabilized soon.
|
||||||
|
DNS *DNSChallengeConfig `json:"dns,omitempty"`
|
||||||
|
|
||||||
// Optionally customize the host to which a listener
|
// Optionally customize the host to which a listener
|
||||||
// is bound if required for solving a challenge.
|
// is bound if required for solving a challenge.
|
||||||
BindHost string `json:"bind_host,omitempty"`
|
BindHost string `json:"bind_host,omitempty"`
|
||||||
|
|
||||||
DNS challenge.Provider `json:"-"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// HTTPChallengeConfig configures the ACME HTTP challenge.
|
// HTTPChallengeConfig configures the ACME HTTP challenge.
|
||||||
|
@ -274,12 +282,25 @@ type TLSALPNChallengeConfig struct {
|
||||||
AlternatePort int `json:"alternate_port,omitempty"`
|
AlternatePort int `json:"alternate_port,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DNSChallengeConfig configures the ACME DNS challenge.
|
||||||
|
// NOTE: This API is still experimental and is subject to change.
|
||||||
|
type DNSChallengeConfig struct {
|
||||||
|
// The DNS provider module to use which will manage
|
||||||
|
// the DNS records relevant to the ACME challenge.
|
||||||
|
ProviderRaw json.RawMessage `json:"provider,omitempty" caddy:"namespace=tls.dns inline_key=name"`
|
||||||
|
|
||||||
|
// The TTL of the TXT record used for the DNS challenge.
|
||||||
|
TTL caddy.Duration `json:"ttl,omitempty"`
|
||||||
|
|
||||||
|
provider challenge.Provider
|
||||||
|
}
|
||||||
|
|
||||||
// OnDemandConfig configures on-demand TLS, for obtaining
|
// OnDemandConfig configures on-demand TLS, for obtaining
|
||||||
// needed certificates at handshake-time. Because this
|
// needed certificates at handshake-time. Because this
|
||||||
// feature can easily be abused, you should set up rate
|
// feature can easily be abused, you should use this to
|
||||||
// limits and/or an internal endpoint that Caddy can
|
// establish rate limits and/or an internal endpoint that
|
||||||
// "ask" if it should be allowed to manage certificates
|
// Caddy can "ask" if it should be allowed to manage
|
||||||
// for a given hostname.
|
// certificates for a given hostname.
|
||||||
type OnDemandConfig struct {
|
type OnDemandConfig struct {
|
||||||
// An optional rate limit to throttle the
|
// An optional rate limit to throttle the
|
||||||
// issuance of certificates from handshakes.
|
// issuance of certificates from handshakes.
|
||||||
|
|
Loading…
Reference in a new issue